diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -357,6 +357,8 @@
 	{	60075,	"one object at a time must be copied" },
 	{	60076,	"NAT ioctl denied in jail without VNET" },
 	{	60077,	"NAT length of interface name is incorrect"},
+	{	60078,	"NAT destination size is too short"},
+	{	60079,	"NAT supplimental destination size is too short"},
 /* -------------------------------------------------------------------------- */
 	{	70001,	"incorrect object size to get pool stats" },
 	{	70002,	"could not malloc memory for new pool node" },
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -2088,6 +2088,11 @@
 			error = ENOMEM;
 			goto junkput;
 		}
+		if (sizeof(*aps) > ipn.ipn_dsize) {
+			IPFERROR(60078);
+			error = ENOMEM;
+			goto junkput;
+		}
 		bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
 		if (in != NULL)
 			aps->aps_apr = in->in_apr;
@@ -2105,6 +2110,11 @@
 				error = ENOMEM;
 				goto junkput;
 			}
+			if ((aps->aps_psiz + sizeof(*aps)) > ipn.ipn_dsize) {
+				IPFERROR(60079);
+				error = ENOMEM;
+				goto junkput;
+			}
 			bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
 			      aps->aps_psiz);
 		} else {